Title:
Do #ifdefs Influence the Occurrence of Vulnerabilities? An Empirical Study of the Linux Kernel

Abstract: Preprocessors support the diversification of software products with #ifdefs,
but also require additional effort from developers to maintain and understand
variable code. We conjecture that #ifdefs cause developers to produce more
vulnerable code because they are required to reason about multiple features
simultaneously and maintain complex mental models of dependencies of
configurable code.
We extracted a variational call graph across all configurations of the Linux
kernel, and used configuration complexity metrics to compare vulnerable and
non-vulnerable functions considering their vulnerability history. Our goal was
to learn about whether we can observe a measurable influence of configuration
complexity on the occurrence of vulnerabilities.
Our results suggest, among others, that vulnerable functions have higher
variability than non-vulnerable ones and are also constrained by fewer
configuration options. This suggests that developers are inclined to notice
functions appear in frequently-compiled product variants. We aim to raise
developers' awareness to address variability more systematically, since
configuration complexity is an important, but often ignored aspect of software
product lines.